Annotation of src/usr.bin/ssh/README.smartcard, Revision 1.6
1.1 markus 1: How to use smartcards with OpenSSH?
2:
3: OpenSSH contains experimental support for authentication using
4: Cyberflex smartcards and TODOS card readers. To enable this you
5: need to:
6:
1.6 ! rees 7: (1) enable SMARTCARD support in OpenSSH:
1.1 markus 8:
9: $ vi /usr/src/usr.bin/ssh/Makefile.inc
10: and uncomment
11: CFLAGS+= -DSMARTCARD
12: LDADD+= -lsectok
13:
1.6 ! rees 14: (2) load the Java Cardlet to the Cyberflex card and set card passphrase:
1.1 markus 15:
16: $ sectok
1.2 rees 17: sectok> login -d
1.6 ! rees 18: sectok> junload Ssh.bin
1.1 markus 19: sectok> jload /usr/libdata/ssh/Ssh.bin
1.6 ! rees 20: sectok> setpass
! 21: Enter new AUT0 passphrase:
! 22: Re-enter passphrase:
1.1 markus 23: sectok> quit
24:
1.6 ! rees 25: Do not forget the passphrase. There is no way to
! 26: recover if you do.
! 27:
! 28: IMPORTANT WARNING: If you attempt to login with the
! 29: wrong passphrase three times in a row, you will
! 30: destroy your card.
! 31:
! 32: If you have loaded an older version of Ssh.bin on
! 33: your card previously, you must unload it and load
! 34: the new one.
! 35:
! 36: (3) load a RSA key to the card:
1.1 markus 37:
38: please don't use your production RSA keys, since
39: with the current version of sectok/ssh-keygen
40: the private key file is still readable
41:
1.5 jakob 42: $ ssh-keygen -f /path/to/rsakey -U 1
1.1 markus 43: (where 1 is the reader number, you can also try 0)
44:
1.2 rees 45: In spite of the name, this does not generate a key.
46: It just loads an already existing key on to the card.
1.1 markus 47:
1.6 ! rees 48: (4) tell the ssh client to use the card reader:
1.1 markus 49:
50: $ ssh -I 1 otherhost
51:
1.6 ! rees 52: (5) or tell the agent (don't forget to restart) to use the smartcard:
1.1 markus 53:
54: $ ssh-add -s 1
55:
56: -markus,
57: Tue Jul 17 23:54:51 CEST 2001